Year-End Lists

Once again, we are approaching the end of the year, so what could be more convenient than an end-of-the-year-list of cyber incidents within automotive cybersecurity. The list is taken from Upstream’s 2021 Automotive Cybersecurity Report, and the incidents are just shortly described. So, for a deeper knowledge of the incidents the interested reader is welcome to contact us or to dive into the endless ocean of information and surf on the waves of Internet.

Top 2020 cyber incidents

• In India, thieves with cheap electronic devices were able to bypass the engine control module, unlock the vehicle, start the engine, and access the vehicles’ computer. No more than 4 118 vehicles were stolen.
• A hack on Mobileye 630 PRO and Tesla Model X that fooled the ADAS and autopilot systems to trigger the brakes and steering.
• Hackers found 19 vulnerabilities in a Mercedes-Benz E-Class car which allowed them to remotely control the vehicle, opening its doors, and start the engine.
• Hackers took full control of an OEM’s corporate network by reverse engineering the Transmission Control Unit (TCU) of the vehicle and use the telematics connection to infiltrate the network.
• After that, a source code of a connected car component was made publicly available, hackers obtained passwords and API tokens for the internal systems of Daimler.
• On the dark web, hackers publicly offered to sell car rental information of 3.5 million Zoomcar users.
• The Australian transportation fleet: Toll Group, was hit with a ransomware attack for the second time in 2020, affecting 1 000 servers and 40 000 employees.
• Honda stopped production in a number of its plants in Europe and Japan since their networks were attacked with the Snake ransomware.
• More than 300 vulnerabilities were found in over 40 ECUs developed by 10 Tier-1 companies and OEMs.
• A VPN vulnerability in Hyundai’s network were exploited by hackers, which then offered to sell VPN access to the OEM on the dark web.
• A hacker was able to gain control over Tesla’s entire connected vehicle fleet by exploiting a vulnerability in the OEM’s server-side mechanism.

Well, while we’re at it. Here is another list of automotive cyberattacks covering the last two decades, found in Forbes by Steve Tengler.

2002   Hackers, hired by the aftermarket consumers, reprogrammed the calibrations of the powertrain to improve the car’s performance.
2005   The Bluetooth was hacked which allowed the hackers to listening to conversations or downloading contact information.
2007   Inverse Path hacked a radio-based traffic feed and could seemingly close European roads, thereby diverting traffic away from a given highway.
2010   Hackers Remotely Kill a Jeep on the Highway, the most significant hack of the last decade performed by Charlie Miller and Chris Valasek.
2010   Researchers at Rutgers University and The University of South Carolina successfully penetrated a non-encrypted tire-pressure monitoring system (TPMS).
2010   White hat hackers/researchers were able to, remotely, disable key vehicular systems (including throttle and brakes) as long as a connected dongle was plugged in to the service port of the vehicle.
2013   Again, Charlie Miller and Chris Valasek showed their ability to truly futz with the overall system of a Ford Escape (and a Toyota Prius), but this time it wasn’t remotely. They we’re sitting in the backseat. Still noteworthy, though.
2013   A group of Dutch and British scientists release an academic paper showing the secret algorithm used to identify the identity of each unique ignition key of multiple brands. Consequently, the High Court of Britain immediately imposes an injunction to stop further publishing of the paper.
2014   Kaspersky Labs does a full threat assessment of the BMW ownership experience (e.g. websites, app’s) and finds serious vulnerabilities including opening and starting the car.
2014   “Secure My Car” shows how smashing a window and plugging something into the service port allows a thief to disarm the security and start disarm security and start the vehicle.
2015   The infamous attack of a Chrysler. Miller and Valasek (again) were able to remotely disable the throttle of a vehicle, which quickly generated a recall by the National Highway Traffic Safety Administration (NHTSA) of the USA.
2015   Tencent revealed at the 2015 DEFCON conference that they had successfully hacked into Tesla cars. Tesla quickly updated their vehicles to eradicate the vulnerability.
2016   A hacker, located in Australia, took charge of a Nissan Leaf in the north of England, which included controlling most of the instrument panel and stealing location history from the onboard computer.
2016   Pen Test Partners hacked a Mitsubishi Outlander via the vehicle’s WiFi, and were able to remotely opening the door to thieves.
2017   The Blue Link app of Hyundai contained a vulnerability where hackers could enter via insecure Wifi and obtain private user information and start cars remotely.
2018   Just when the OEMs felt they had released a secure vehicle, Calamp releases a misconfigured server 2018 that provided open access to more than 1.5 million IoT devices provided by Viper SmartStart, thereby allowing unwanted location of vehicles, password resets, door unlocks, alarm disables, engine starts and vehicle thefts.

Written by Joakim Rosell

From all of us to all of you.
Happy Holidays and a Happy New Year.